siderolabs
[feature] Secrets stored in omni
Problem Description
I would like to store secrets in omni which can be used as part of a cluster template, but not shared or exposed, only added when Omni compiles the template.
Solution
Similar to GitHub Actions secrets, this could be an add only (no view) secret, and a reference which can be rendered when clusters are deployed. This would allow initial bootstrap secrets (for example to get ExternalSecrets connected and working) in a new cluster, and still not have them visible in cluster templates or patch config screens.
Alternative Solutions
I don't see this as a replacement for External Secrets, but a method to give External Secrets and Tailscale the secrets needed to bootstrap a cluster.
Notes
I'm trying to use clusters almost exclusively ephemerally, so bootstrapping a cluster is a multiple times per day occurance. Removing the need to have secrets in plain text would be very much appreciated.
It would be great to also be able to deploy these secrets via omnictl. If that were possible then they could live, encrypted, in the same repo which defines the cluster template and be decrypted and deployed as part of CI/CD.
This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days.